SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

FCC May be Partially Reclassifying Broadband ISPs as Common Carriers (October 30, 2014)

Reports suggest that the US Federal Communications Commission (FCC) may soon partially reclassify broadband Internet service providers as common carriers, which means the FCC would have the authority "to police any deals between content companies and broadband providers." The reclassification would affect the service that ISPs offer content providers. -http://arstechnica.com/business/2014/10/fcc-reportedly-close-to-reclassifying-isps-as-common-carriers/[Editor's Note (Pescatore): From a security point of view, common carrier status is a mixed bag. ISPs have largely claimed that status to justify why they continue to happily deliver easily identified spam, malware and denial of service attacks to their paying customers. The FCC legally classifying the "backend" services as Common Carrier services might clearly say the retail (delivery) end is *not* and open up liability claims for delivery of dangerous content, but the Communications Decency Act and the Digital Millennium Copyright Act gave ISPs loads of cover for avoiding that liability. On the back end, Common Carrier status comes with FCC ability to regulate, the FCC *could* force ISPs to filter more but the pace of regulation never, ever keeps up with the pace of technology or threats. (Murray): Hopefully cooler heads will prevail here. Regulating the Internet as a common carrier in the name of net neutrality ranks right up there with destroying a village in order to protect it. The discussion of net neutrality is about discriminatory behavior that has rarely been shown to exist and which transparency, accountability, and competition might well solve in any case. "Common Carrier" regulation was intended to regulate what was then seen to be a "natural monopoly," an idea long since given up. We no longer even regulate railroads that way. There must be a more measured remedy here than turning the clock back eighty years and shackling the most dynamic part of our economy with stifling regulation designed to solve a very different problem. ]

Google and Mozilla will Disable Support for SSL 3.0 in Next Versions of Browsers (November 1, 2014)

Google plans to disable support for SSL 3.0 in the next version of its Chrome browser. When Google researchers disclosed the POODLE vulnerability in SSL 3.0 last month, they released a patch for servers, but if browsers no longer support the protocol, the risk of exploits drops considerably. Mozilla plans to disable support for SSL 3.0 in Firefox 34. Microsoft has released a "Fixit" tool that allows users to disable SSL 3.0; Apple has not blocked SSL 3.0, but has disabled cipher block chaining, which underlies the POODLE flaw. -http://www.eweek.com/security/google-takes-new-steps-to-block-poodle-flaw.html

The newest version of Mac OS X, Yosemite, automatically saves files to iCloud, even if those files are never actually saved on the device where they are created. The point of the feature is that users can access documents from any Apple device. However, there is no warning that the program will do this. The autosave feature can be disabled. -http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/[Editor's Note (Murray): Must have seemed like a really good idea at the time. God please save us from programmers who cannot check inputs but who can implement all kinds of gratuitous functionality. (Honan): This is a good example of why Privacy by Design and conducting Privacy Impact Analysis (PIA) is so important when developing or adding new features to a system. As our online lives become more and more intertwined this will become even more important. ]**************************** SPONSORED LINKS ****************************** 1) Did you miss the Data Center Server Security webcast? Find the archived webcast & whitepaper here: http://www.sans.org/info/170647

2) Build bridges between Security and Development. Register for this webinar on Secure Agile featuring Adrian Lane of Securosis and Chris Eng of Veracode. http://www.sans.org/info/170907

THE REST OF THE WEEK'S NEWS

Attackers Stealing and Selling Rewards Points (November 3, 2014)

Thieves have been targeting rewards points programs offered by hotels and other organizations. Often, the online management systems for the programs lack adequate security. One man discovered that 250,000 Hilton Honors points he has accrued through use of a credit card had been used by thieves, who managed to access the account online, change the associated email addresses, and even use the associated credit card to make additional charges. Hilton allows two methods of account access: username and password, or member number and four-digit PIN. Brian Krebs discovered that there are online forums where rewards points are being offered for sale at fractions of their value. -http://krebsonsecurity.com/2014/11/thieves-cash-out-rewards-points-accounts/

Microsoft Phasing Out Windows 7 and Windows 8 (November 3, 2014)

Microsoft has stopped selling retail copies of most versions of Windows 7 and Windows 8. The default operating system sold until Windows 10 is released late next year is Windows 8.1 Users who want to run Windows 7 can in some circumstances downgrade from Windows 8.1 to Windows 7 Professional. Just over half of Windows users are now running Windows 7. -http://www.zdnet.com/going-so-soon-microsoft-ends-retail-sales-of-windows-8-7000035347/-http://www.bbc.com/news/technology-29880144[Editor's Note (Pescatore): Security patch support for Windows 7 will continue through January 2020. By then, every enterprise should plan on all living with/supporting auto update of security patches for all user devices - PCs, tablets, smartphones, wearables, whatever else users are demanding to use by 2020. Once a month patching is a relic of the old Windows/PC homogeneity/monopoly era, which is over and never coming back. ]

New Version of Adobe eReader Collects Less Data (November 2, 2014)

The most recent version of Adobe Digital Editions e-reader software appears to collect less user data than in earlier version, which was reportedly sending information about readers' activity back to the company in plaintext. Version 4.0.1 of Digital Editions now collects information only about books that are protected by digital rights management (DRM) software. Adobe said last month that it would stop collecting information on books not protected by DRM and that it would encrypt data sent back to the company. -http://www.computerworld.com/article/2842243/adobes-e-reader-software-now-collects-less-data.html[Editor's Note (Pescatore): Maybe Adobe and McAfee will announce that the constant stream of Adobe patches will no longer try to trick users into installing McAfee software? ]

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/